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(57) ABSTRACT 

In the method in accordance with the present invention, the 
subscriber identifier to be sent to the transmission network 
is encrypted using a cipher key common to a specific group 
of subscribers, and a random number is attached to the 
identifier to be sent to the network. For example, a sub- 
scriber group may consist of the subscribers to a single given 
operator. The section of the identifier specifying the sub- 
scriber group is sent to the network in a non-encrypted 
format, in which case the network is able to direct the 
encrypted message to such a network element where it can 
be deciphered. 

7 Claims, 4 Drawing Sheets 
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METHOD FOR USER IDENTITY 
PROTECTION 

This is a continuation of PCT/F1 98/00291 filed Apr. 1, 
1998. 

FIELD OF THE INVENTION 

The present invention relates to the transfer of subscriber 
identity in a protected format in a telecommunications 
network, particularly in mobile communications systems. 

BACKGROUND OF THE INVENTION 

Protecting subscriber identity means the concealment of 
the identity of a user of a telecommunications network from 
outsiders. Protection of identity is of special importance in 
mobile communications systems, where the subscriber and 
the network identify themselves to each other before the 
connection is made. If subscriber identity is transferred 
unprotected, it is possible to follow the movements of the 
subscriber by monitoring the radio connections established 
between the subscriber and the network. In addition, by 
protecting the subscriber's identity it is possible to consid- 
erably complicate the deciphering of data communications. 
Protection of subscriber identity may be desirable in fixed 
network systems as well. In circuit-switched systems of a 
fixed telephone network, the subscriber identity is deter- 
mined by the subscriber line, and thus subscriber identity is 
not transferred as a message; instead, it is always determined 
by the subscriber line used. In packet-switched systems, the 
subscriber identity is transferred in each data packet sent by 
the subscriber, and so the subscriber identity can be fully 
concealed using encryption methods suitable for use in 
mobile communicatioas systems. 

FIG. 1 illustrates a known mobile communications net- 
work. The figure shows two mobile services switching 
centres MSC1, MSC2, base station controllers BSC, base 
transceiver stations BTS, a mobile station MS, a home 
location register HLR, and an authentication centre AUC 
typically located in association with a HLR. The mobile 
services switching centres are capable of establishing sig- 
nalling connections with the home location register HLR 
and the authentication centre AUC. 

Each mobile subscriber has a home public land mobile 
network HPLMN operated by an operator with which the 
subscriber has concluded an agreement. The user's sub- 
scriber data is stored in the home location register HLR of 
his home public land mobile network and the related authen- 
tication centre AUC. The authentication centre has all the 
data necessary for verifying the authenticity of the identity 
communicated by the user. In the home location register 
HLR, the mobile subscriber international ISDN number 
MSISDN can be linked to the user's international mobile 
subscriber identity IMSL In addition, information on the 
services ordered by the subscriber as well as the user's 
current location to an accuracy within the visitor location 
register VLR address is stored in the home location register. 
No subscriber can be registered with more than one visitor 
location register VLR at any given time. 

The visitor location register VLR located in association 
with the mobile services switching centre MSC is also used 
to maintain data on the location of users registered with the 
applicable visitor location register to an accuracy of a so 
called location area. In addition to the services offered by the 
home public land mobile network HPLMN, a subscriber can 
use the services available in those other visited public land 
mobile networks VPLMN with which his own operator has 
signed a roaming agreement. 
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Through the mobile services switching centres MSC, 
mobile communications systems are linked to fixed tele- 
phone networks, such as a public switched telephone net- 
work PSTN or an integrated services digital Network ISDN. 

5 Several base transceiver stations BTS arc connected to a 
base station controller BSC. The base transceiver stations 
are capable of making connections with mobile stations MS 
consisting of mobile equipment ME and subscriber identity 
modules SIM using channels of the so called air interface. 

10 In mobile communications systems representing prior an, 
the objective is to transmit subscriber identity protected 
across the air interface. For example, the known GMS 
system uses a temporary mobile subscriber identity TMSI 
illustrated in FIG. 2 to conceal the user's international 

15 mobile subscriber identity I MSI. 

As shown in FIG. 2, information about the temporary 
mobile subscriber identity TMSI is only stored in the user's 
visited location register VLR and mobile station MS. When 
the network and the mobile station contact each other, the 

20 temporary mobile subscriber identity, if available, is always 
used for identification instead of the international mobile 
subscriber identity IMSL TMSI consists of two components, 
one being the location area code LAI and the other the 
temporary subscriber identity code TIC (TMSI Code) that 

25 uniquely identifies the user within the location area. The TIC 
code is unique within one location area LAI. Information 
about the temporary mobile subscriber identity TMSI is not 
transmitted to the home location register HLR; instead, the 
temporary mobile subscriber identity TMSI used across the 

30 air interface is always converted in the visited location 
register VLR into the international mobile subscriber iden- 
tity I MSI. For communications between the home location 
register HLR and the visited location register VLR, the 
permanent identification IMSI is always used for subscriber 

35 identification purposes. 

FIG. 3 illustrates the generation and maintenance of the 
temporary mobile subscriber identity TMSI. VLR assigns a 
mobile station a new temporary identity, for example in 
connection with each location update. The mobile station 

40 sends to the network a non-encrypted LOCATION UPDATE 
REQUEST 301 to identify itself using the temporary mobile 
subscriber identity TMSI, if defined, and communicates its 
previous location area. The request must be transmitted 
non-encrypted because the network has no previous infor- 

45 mation on the user's identity or user-specific encryption 
keys. The request is forwarded to the visited location register 
VLR. When receiving the request, the visited location reg- 
ister requests the necessary information from the user's 
previous visited location register on the basis of the previous 

50 location area data. At this point, the network directs the 
mobile station to activate cipher mode (phase 302, CIPHER 
MODE COMMAND) and the mobile station acknowledges 
the command (phase 303, CIPHER MODE COMPLETE). 
The network indicates acceptance of the location update 

55 (phase 304, LOCATION UPDATE ACCEPT) and gives the 
user a new temporary mobile subscriber identity TMSI (305, 
TMSI REALLOCATION COMMAND), in response to 
which the mobile station acknowledges the new identity 
(306, TMSI REALLOCATION COMPLETE). The new 

60 TMSI can also be incorporated in the phase 304 message 
LOCATION UPDATE ACCEPT, in which case the phase 
305 TMSI REALLOCATION COMMAND is not used. 

Where possible, the GSM system always uses the tem- 
porary mobile subscriber identity TMSI that conceals the 

65 subscriber's true identity. To ensure that TMSI can be used, 
it must be possible to link it to the international mobile 
subscriber identity IMSI in the visited location register VLR. 
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However, this is not possible when the user contacts the able to identify the subscriber with the accuracy necessary 

network for the first time. Additional problems are created for routing, such as to within the subscriber's home network 

by situations where VLR, due to loss of data caused by a or home location register. It is advantageous to protect the 

malfunction, is incapable of linking the temporary mobile identity without, however, encrypting the component iden- 

subscriber identity TMSI to the international mobile sub- 5 tifying the user's home public land mobile network, 
scriber identity IMSI. For this reason, the network may 

always ask the mobile station to send the original IMSI, BRIEF DESCRIPTION OF TOE DRAWINGS 

which will then, in response, be transmitted in a non- ™_ . . . , . t , t ... f 

, - . , ^ . 4 . The invention is described in greater detail with reference 

encrypted format by the mobile station. , t , , ° . 

3V J , to the accompanying drawings, where 

Another known method for protecting user identity in 10 . 

. , 4 , . r , . . ° A . FIG. 1 shows the structure of a mobile communications 

transmission is the technique used in the i EI RA system. t , . t . . . . , . 

«. . . ^ 0fcJ f . *u tttiia ♦ _1 ™ system and its network elements involved in authentication; 

Similarly to the GSM system, the l b I RA system may J 

employ an encryption procedure called alias short subscriber FIG - 2 shows a known method for protecting the identity 

identity ASSI, which is based on temporary identity. In of the subscriber based on the use of a temporary identifier; 

addition to, or instead of, ASSI, TETRA may also use 15 FIG. 3 shows a procedure for changing the temporary 

encrypted short identity ESI, which is described in greater subscriber identity; 

detail in the ETS 300 392-7 Specification published by ETSI fig. 4 shows a known method for protecting the identity 

(European Telecommunications Standards Institute). of the subscriber based on concealing the identity; and 

Generation of the encrypted short identity ESI is illus- FIG. 5 shows a method in accordance with the present 

trated in FIG. 4. The encrypted short identity ESI is com- 20 invention for protecting the identity of the subscriber, 
puted using the algorithm TA61 and the SSI identity and the 

common cipher key CCK that is common to several users, DETAILED DESCRIPTION OF THE 

or the static cipher key SCK, as input data. INVENTION 

Tlie static cipher key SCK is always used before the m mvention ^ dcscribed below ^ a mobile com . 

authentication process is carried out. A maximum of 32 munications tem as an le Howcvc tne of 

static cipher keys .to be identified by the identification ^ [& m{ tQ user idend ction ^ 

number SCKN (SCK Number) sent by the network to the mM]fi communications tems> bm the m ; e F Dtion can 5e 

mobile station, can be associated with any single subscriber ^ {q fixed Qetwork g ffi weU 

identity. A common SCK is assigned to all those mobile „ „, . ., ,, ,,. 

stations in a single switching and management infrastructure 30 , ^ me ™ of , the P re , sent invention, the problem of dis- 

SwMI that have access to the network section concerned. closu l re of identity is eliminated by ' delivering the interna- 

■ i_ i . j . tional mobile subsenber identity IMSI to the subscriber s 

TTie common cipher key CCK assigned to several users home of Qther dM ag re , iable ^ afl 

and, if necessary, changed by the network, is sent to the t . f . . n ... , M „. 

, . ~ J , encrypted format in such a way that the network receiving 

subscribers in a format encrypted with the derived cipher 35 ™ nevertheless capable of routing 

keys DCK provided by the authentication process, which ^ ^ A method . fl ac J dance with tfa * 

means that it cannot be used until authentication is com- ^ ^ ^ be im lemeQted b 

pleted On y one common cipher key CCK may be operative * ^ hm ^ ^ ^ 5 , n J hm £ 

in the location area at any given time. As it i* all the mobile acco ^ dance ^ ¥ { G 5j the mobile station MS (more 

stations in the same location area can decipher any identity 4Q ^ subscfiber station) first m ^ hase 

encrypted with the common cipher key CCK. ^ ^ number RANDl ^ Qumber 

The problem of the arrangement described above is that already generated in the authentication phase may be used 

several mobile stations know the cipher key and can thus fof random QUmber rand^ Whal ^ essential is that a 

decipher identity. Since all changes to the cipher key are mobile statk)n Qever uses tfae same r£mdom number several 

always done by the network, the same encrypted short 45 times fof protecting its identity. In phase 502, the mobile 

identity ESI is typically used several times. Third, the stat ion generates the cipher key Kd using the one-way hash 

network with which the mobile station communicates, learns flinct i on H 4. For input data for the function, the random 

the identity of the mobile subscriber even when it does not number RAND1 and the HLR-specific key Kh are used. The 

need to know it. key is embedded j n the subscriber identity module SIM 

The objective of the present invention is to elimin ate these 50 in such a way that it cannot be accessed other than by 

problems associated with prior art. This objective is breaking the module. 

achieved by using the method described in the independent The faash function H4 must be a one . wa y function corn- 
patent claims. plete wim a key fonowing shall apply: 

SUMMARY OF THE INVENTION 1. when Kh and RANDl are defined, a unique H4(Kh, 

The idea of the invention is to encrypt the subscriber 55 RANDl) is easy to compute; 

identity data to be sent to the transmission network using a 2 - wneD RANDl is defined but the Kh key is unknown, it 

cipher key common to a certain group of users and a random ^ impossible, or at least extremely difficult, to compute 

number which is sent to the network attached to the H4(Kh, RANDl); 

encrypted identity data. Such a group of users may consist 60 3- wnen a large number of random numbers RANDl and 

of all the subscribers of a given operator, all the users in one the corresponding values of the hash function H4(Kh, 

home location register, or any group of users defined within RANDl) are defined, but the Kh key is unknown, it is 

one home location register. impossible, or at least extremely difficult, to compute 

The transmission network must be capable of routing the th e K " key; and 

message containing the identity of the subscriber to the 65 4. when a large number of random numbers RANDl and 

subscriber's home public land mobile network or other the corresponding values of the hash function H4(Kh, 

network defined as reliable. Therefore, the network must be RANDl) are defined, but the Kh key is unknown, it is 
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impossible, or at least extremely difficult, to compute 
the value of the hash function H4(Kh, RAND1') for the 
given input RAND1\ if the value is previously 
unknown. 

Examples of known hash functions that use keys include 
HMAC (Hash-based Message Authentication Code) algo- 
rithms based on the SHA(Secure Hash Algorithm) and MD5 
(Message Digest Algorithm 5) algorithms and the GSM 
system algorithms A3 and A8. 

In phase 503, the mobile station encrypts its IMSI identity 
using the Kd key and IMSI identifier as input data for the 
cipher algorithm E and sends its encrypted identity and the 
random number RAND1 to network VPLMN. The network 
receives the message. To transmit the subscriber's message 
to the correct home location register, the network must be 
able to determine the subscriber's HLR address from the 
message. To achieve this, it is preferable to use the E 
algorithm as the cipher algorithm, because it leaves the 
HLR-specified section of the identifier non-encrypted. 
Typically, the subscriber IMSI identifier is of the type 
IMSI=HLR address+the data identifying the subscriber 
within the HLR. Of this identifier, the cipher algorithm must 
then retain the HLR address component intact and only 
encrypt the data identifying the subscriber within the HLR. 

After determining the subscriber's home location register 
address from the message received, the network forwards 
the message containing the encrypted identifier data EIMSI 25 
and random number RAND1 to the home location register 
HLR. However, the network is unable to determine the true 
IMSI identity of the subscriber. Because the identifier data 
is always encrypted using a fresh, not-previously-used ran- 
dom number RAND1, the network is similarly unable to 30 
make a connection between the encrypted identities of the 
user and thus monitor the user's movements. 

In phase 505, HLR computes the cipher key Kd by means 
of the key Kh known to it and the random number RAND1 
received from the mobile station. In phase 506, HLR deci- 
phers the subscriber identifier IMSI using the Kd key and the 
encrypted EIMSI identity provided by the mobile station. 

Since the Kh key is only known to the mobile station and 
its home location register, any eavesdropper listening in on 
the transmission path between the mobile station and its 
home location register is unable to learn the subscriber's 
identity. Naturally, the eavesdropper can figure out the 
subscriber's home location register address but cannot deter- 
mine the subscriber's individual identity from among the 
subscribers in the home location register that typically 
contains several hundreds of thousands of subscribers. 
Furthermore, since the identifier data is always encrypted 
using a fresh, not-previously-used random number RAND1, 
the eavesdropper is similarly unable to link the various 
encrypted identities used by the subscriber and thus monitor 
the subscriber's movements. 

The cipher key Kh need not necessarily be identical to all 
the mobile subscribers in a given home location register. In 
such a situation, the home location register must, 
nevertheless, be able to determine the Kd key to be used 
from the message transmitted by the mobile station. This can 
be accomplished, for example, by dividing the subscribers in 
the home location register into groups, within which an 
identical key is used, and by attaching the group identifier to 
the message sent by the mobile station to the network. For 
example, this can be achieved by setting up such groups on 
the basis of the first digit of the subscriber section in the 
IMSI identifier and transmitting the first digit of the sub- 
scriber section non-encrypted. By doing so, it is possible to 
further complicate the deciphering of the Kh key, because 
even if one key were successfully deciphered, this informa 
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increases. As a result, the group of subscribers, to which an 
individual subscriber, on the basis of encrypted identifier 
data and without deciphering, may be assumed to belong, 
decreases. 

For subscribers whose home public land mobile network 
HPLMN includes several home location registers HLR, 
encryption can also be carried out in such a way that only the 
subscriber's HPLMN can be determined from the encrypted 
EIMSI identifier. Then, the messages transmitted by the 
subscriber under the concealed identity are routed within the 
HPLMN to a specific home location register HLR specified 
for deciphering. 

Segregation of the computation of the Kd cipher key from 
the protection of identity is not of the essence in the present 
invention. The protected identity can equally well be com- 
puted directly using a single function EIMSI=E(IMSI, Kh, 
RAND1). 

Although the above embodiments of the invention are 
discussed in relation to a mobile communications network, 
the scope of the invention is not limited thereto. The method 
is equally suited for user identity protection in fixed net- 
works. 

Obviously, the potential embodiments of the invention are 
not limited to the above embodiments presented by way of 
example, but may vary within the scope of the attached 
patent claims. 

What is claimed is: 

1. A method for protected transmission of user identity to 
the user's home network in a data communications system 
that includes at least, subscribers each with a unique iden- 
tifier and a home network, subscriber stations of the 
subscribers, at least one data communications network 
including network elements, and in which connections can 
be made between mobile stations and the data communica- 
tions network, the method comprising: 

dividing an identifier into a first and second section in 
such a way that the first section includes data necessary 
for identifying a subscriber group and the second 
section identifies a subscriber within the subscriber 
group 

generating a random input at a subscriber station, 
encrypting the second section of the subscriber's identifier 
using the random input and a cipher key specific to each 
subscriber group, 
sending a message to a network element of a data com- 
munications network, the message containing a par- 
tially encrypted identifier consisting of the first section 
and the encrypted second section and the random input 
used, 

routing the message from the data communications net- 
work to the subscriber's home network, and 

deciphering the identifier in the subscriber's home net- 
work. 

2. The method in accordance with claim 1, where the 
subscriber identifier consists of a section specifying the 
subscriber's home network and another section specifying 
the subscriber within the subscriber's home network, 
wherein the group of subscribers consists of subscribers 
within a single home network and that the encrypted section 
of the identifier is that part of the identifier that determines 
the subscriber's identity in the home network. 

3. The method in accordance with claim 1, where the 
subscriber identifier consists of a section specifying one 
Home Location Register and another section specifying the 
subscriber within the Home Location Register, wherein the 
group of subscribers is a group within one Home Location 
Register and that the encrypted section of the identifier is 
that part of the identifier that determines the subscriber's 



tion could no longer be used for disclosing the identities of 65 identity within the Home Location Register, 
all the other users in the network. However, the amount of 4. The method in accordance with claim 1, where the 
identifier data transmitted in a non-encrypted format subscriber identifier consists of one section defining a group 
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of subscribers within one Home Location Register and 
another section defining the subscriber within the subscriber 
group, wherein the subscriber group is a group of subscrib- 
ers defined within one Home Location Register and that the 
encrypted section of the identifier is that part of the identifier 5 
that determines the subscriber's identity within the sub- 
scriber group. 

5. The method in accordance with claim 1, wherein the 
random input is specifically generated by means of a random 
number generator. 
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6. The method in accordance with claim 1, wherein for the 
random input, a random number already generated for the 
authentication process is used. 

7. The method in accordance with claim 1, wherein the 
subscriber station is a mobile station operating in a mobile 
communications system and that the data communications 
network is a mobile communications network. 

♦ * * * * 
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